search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
451 stars 535 forks source link

"Root resource was present, but now absent" on resource "vault_token". #1424

Open robertdebock opened 2 years ago

robertdebock commented 2 years ago

Hi there,

Terraform Version

Terraform v1.1.9
on darwin_arm64

Affected Resource(s)

Please list the resources as a list, for example:

Terraform Configuration Files

terraform {
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "3.5.0"
    }
  }
}

provider "vault" {
  address = "http://127.0.0.1:8200"
  token   = "hvs.REDACTED"
}

data "vault_policy_document" "dr" {
  rule {
    path         = "sys/replication/dr/secondary/promote"
    capabilities = ["update"]
    description  = "Create and manage ACL policies"
  }
  rule {
    path         = "sys/replication/dr/secondary/update-primary"
    capabilities = ["update"]
    description  = "To update the primary to connect"
  }
  rule {
    path         = "sys/storage/raft/autopilot/state"
    capabilities = ["read", "update"]
    description  = "To read the current autopilot status"
  }
}

resource "vault_policy" "dr" {
  name   = "dr-secondary-promotion"
  policy = data.vault_policy_document.dr.hcl
}

resource "vault_token_auth_backend_role" "dr" {
  role_name        = "failover-handler"
  allowed_policies = [vault_policy.dr.name]
  orphan           = true
  renewable        = false
  token_type       = "batch" # <- I can reproduce it when `batch` is used...
}

resource "vault_token" "dr" {
  role_name    = vault_token_auth_backend_role.dr.role_name
  display_name = "dr-secondary-promotion"
  ttl          = "8h"
}

Debug Output

Gist

Expected Behavior

Was hoping a token would have been created. Manually creating a token works:

vault token create -role=failover-handler -ttl=8h

Actual Behavior

│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to vault_token.dr, provider "provider[\"registry.terraform.io/hashicorp/vault\"]"
│ produced an unexpected new value: Root resource was present, but now absent.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Steps to Reproduce

  1. terraform init
  2. terraform apply

Important Factoids

This issue can be reproduced when vault_token_auth_backend_role .dr.token_type = "batch".

References

scaswell-hirez commented 1 year ago

I can confirm this is still happening in 2023, on

Terraform v1.4.6 on windows_amd64 provider registry.terraform.io/hashicorp/vault v3.15.2

Executing the following Terraform

provider "vault" {
  address = "redacted"
  auth_login {
    path = "auth/approle/login"

    parameters = {
      role_id         = "redacted"
      secret_id = "redacted"
    }
  }
}

resource vault_token "periodic_token" {
  ttl = "2m"
  renewable = true
  no_parent = true
  period = "1m"
}

output "token" {
  value = nonsensitive(vault_token.periodic_token.client_token)
}

Results in the following output

╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to vault_token.periodic_token, provider "provider[\"registry.terraform.io/hashicorp/vault\"]"
│ produced an unexpected new value: Root resource was present, but now absent.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

╵

The type of token doesn't matter. I've confirmed this exact behavior no matter what kind of token is being created.

hsmade commented 11 months ago

Looking at the code, this seems very likely to happen when you've got a slightly slow storage system. The token create looks like this:

func tokenCreate(d *schema.ResourceData, meta interface{}) error {
    ....
    < create token>
   ....
    return tokenRead(d, meta)
}
hsmade commented 11 months ago

I had the same error as well, and found out that in the end the token used by terraform was lacking POST permission on /auth/token/lookup-accessor which is used by tokenRead().

(provider version 3.18.0, vault version 1.13.1)

aurelienmaury commented 9 months ago

Vault 1.14.2 provider 3.21.0

Exact same conditions leads to exact same results.

I'm using the root token to apply my terraform code, so that should not be an issue around permissions.

Also, with only changing (in the code example of the issue statement) the vault_token_auth_backend_role.dr.token_type to service : the code can be applied without error.

Taking all hints. Thanks.

vodila-privet commented 1 month ago

Hi there, have the same error